One static, 1 dynamic address ...

  • This question has been asked many times, but I have yet to see a concise and clear answer to it. Here is the situation.

    In Australia publicly route-able IP addresses for LTE services are :

    1 - Hard to get
    2 - Expensive
    3 - Add a LOT to latency as all traffic that uses them is routed via 1 exchange in Sydney irrespective of where you are in the country.

    So, for my site to site IPSEC VPN I have :

    Fixed IP for fibre connection into main office (SG3100 server lives here)
    10 LTE routers at remote sites, each with a dynamic, non-routable IP. So these clients need to be able to connect to the server. I'm 100% happy for the server to act as a responder only. I've done this before with cisco ASA etc so I know the LTE side is capable of it. I assume there must be a way for the pfsense to do the same thing ??

    Anyone have any insights. Please note the condition - DYNDNS at the LTE client cannot be part of the solution .

  • OK. For anyones interest this does work.

    1 - Turn off automatic firewall creation on the pfsense.
    2 - Set the wan address in phase 1 to
    3 - In phase 1 advanced select responder only.
    4 - Create any/any firewall rule in IPSEC rules.
    5 - Create UDP/500, UDP4500 and ESP all rules.

    And we have sucess, thanks in no small part to some very patient support staff.

Log in to reply